Depository Participant Audit

Are you aware that the Indian depository system aims to eliminate the burden of voluminous paper works involved in the scrip-based system? Yes, you heard that right. With the help of state-of-the-art technology, it enables the conversion of physical securities into electronic form, making it possible for paperless trading. But how do you ensure the safety and security of these electronic securities? That’s where the audit of depository participants in India comes into the picture. In this blog post, we will discuss the essential checklist for auditing depository participants in India and shed light on the concept of the depository system.

1. Introduction to Depository Participants in India

The introduction of depository services in India has revolutionized the securities market, making it more efficient and secure. The concept of depository was introduced in 1996, with the aim of providing a legal basis for the establishment of depositories to maintain ownership records of securities and effect changes in ownership records through book entry. The depositories act has provided investors with an option to hold securities in a dematerialized form in a depository, making them fungible and freely transferable. Investors have to open their accounts through a Depository Participant (DP) only. A DP is an agent appointed by the depository, authorized to offer depository services to all investors.

The DP is the interface between the depository and the investor. There are basically four participants in the depository system: the Depository, the Depository Participant, the Issuing Company, and the Investor. The apex body of the depository system is the depository, which can be compared to a bank. Securities can be held and processed by book entry, and securities transactions are conducted through depository participants. NSDL and CDSL are the two depositories in India, with 267 and 455 DPs respectively. DP audits are necessary to ensure that the organizational structure, infrastructure and staffing, effective event reporting systems, fraud and misappropriation reporting procedures, technology checklist, account opening procedures, and investor protection measures are all in place and working effectively. [1][2]

2. Need for Auditing DP Services

The need for auditing DP services in India is crucial, given the increasing volumes of paperwork related to the processing of share certificates. The introduction of scripless has led to the dematerialization of securities and the option for investors to choose between holding securities in physical or dematerialized form in a depository. With the depositories holding securities in electronic form, it is important to audit their systems to maintain investor trust and confidence.

An audit of DP services ensures that the organizational structure, infrastructure, and staffing requirements are adequate for the level of activity. It also ensures that effective reporting systems are in place to inform management of exceptional events and transaction-related issues. The audit should also assess the effectiveness of the fraud and misappropriation reporting procedures and technology used by the DP.

The account opening procedures audit checklist should include verification of proof of identity and residence collected as per NSDL requirements. An audit of DP services is necessary to protect the interests of investors and maintain the integrity of the capital market in India. As B. Samrish & Co. highlights, “The Depositories Act aims at providing a legal basis for the establishment of depositories to conduct the task of maintenance of ownership records of securities and effect changes in ownership records through book entry.” [3][4]

3. Organizational Structure Audit Checklist

The organizational structure audit checklist is an essential part of the DP audit process in India. This audit aims to ensure that the depository participant has adequate infrastructure and staff to handle the level of activity they are engaged in. It also ensures that proper accountability, role definitions, and segregation of duties are in place. The audit checks if the organizational structure and level of supervision are adequate for the number of branches or franchisees plus the number of client accounts handled.

The audit also checks for the effectiveness of systems and procedures to keep the management informed about exceptional events like hardware or software problems, back-up, UPS, staff to business ratio, decreasing hard-disk space, reducing the speed of the machines, etc. There should be effective systems in place to report exceptional transaction-related issues such as failure in delivery, delay in confirmation to clients, loss of certificates, complaints from clients about the non-receipt of credit for the securities, etc.

Additionally, the audit checks for fraud and misappropriation reporting procedures and whether there is a system/procedure for reporting attempted frauds, misappropriation of securities, etc. by clients or any employee of the participant/franchisee. The audit also checks that the depository participant is maintaining backup tapes, emergency repair disks, RAID controller configuration backups, and a copy of the downloads. Furthermore, the audit checks if the variable access scheme as suggested by NSDL has been put into operation. Finally, it ensures that the DPM system is physically and logically well-protected from unauthorized access, anti-virus software is loaded and upgraded, NSDL circulars and other information are read on MS Exchange, and the DPM system is connected to LAN/WAN of the Participant with permission of relevant authorities. [5][6]

4. Infrastructure and Staffing Requirements

When it comes to the infrastructure and staffing requirements for audit of depository participants in India, there are a number of factors that need to be considered. Firstly, it is important to ensure that the participant has adequate infrastructure including staff commensurate with the level of activity. Additionally, the organizational structure needs to be such that accountability, proper role definitions, and segregation of duties are in place.

Furthermore, the infrastructure needs to be protected from unauthorized access, and there should be anti-virus software in place that is updated regularly. It is also important to pay attention to the size of the equipment, memory, and disk-space back-up tapes in relation to the level of business operations.

When it comes to staffing, it is important to ensure that the organizational structure and level of supervision are adequate for the number of branches/franchisees and the number of client accounts handled. In addition, there needs to be a system/procedure for reporting exceptional transaction-related issues, including problems with hardware or any component of hardware/software backup, delay in confirmation to clients, and loss of certificates sent for Demat.

In order to ensure that these infrastructure and staffing requirements are being met, it is essential to conduct regular audits. As the Securities and Exchange Board of India notes, “MIIs are required to conduct System and Network Audit as per the framework enclosed.” By following this framework and ensuring that all requirement are being met, depository participants can help to ensure the safety and security of their clients’ investments. [7][8]

5. Effective Event Reporting Systems

Effective event reporting systems are essential for the smooth functioning of depository participant operations. These systems enable the identification and timely reporting of exceptional events, such as problems in hardware or software, reducing hard disk space, decreasing speed of machine, and other transaction-related issues. According to NSDL guidelines, depository participants must have a system/procedure in place to keep the management informed about such exceptional events.

To ensure business continuity, the DPM is managed and maintained in a manner that data processing integrity is maintained at all times. The systems are put in place to ensure that records are not lost, destroyed, or tampered with in the event of loss or destruction of data. Auditor may expand the scope of audit/add more audit points to achieve the objectives listed above. Participants are advised to extend full co-operation to their auditors to enable them to perform an effective audit.

In summary, effective event reporting systems are crucial for the timely identification and reporting of exceptional events. Compliance with NSDL guidelines and audit points is necessary to ensure business continuity and integrity of data processing systems. As a result, depository participants must maintain an effective event reporting system to streamline their operations. [9][10]

6. Fraud and Misappropriation Reporting Procedures

Fra and misappropriation are criminal activities that have adverse effects on all stakeholders involved, especially the clients. Consequently, during the audit of Depository Participants (DPs), it is essential to include Fraud and Misappropriation Reporting Procedures. The audit process aims to ensure that the DP has an effective system/procedure for reporting attempted frauds or misappropriation of securities by clients or any employee of the participant/franchisee. The DP must also describe the procedure used to report exceptional events related to transaction-related issues like failure in delivery instruction or any problems related to hardware or software. To determine the adequacy of the DP’s Fraud and Misappropriation Reporting Procedures, the auditor must consider several aspects, including whether there is an effective system to keep management informed, whether there is an effective system for reporting attempted frauds or misappropriation, among others. The primary aim of including Fraud and Misappropriation Reporting Procedures as part of DP audits is to protect investors and maintain the integrity of the securities market. [11][12]

7. Technology Audit Checklist

When conducting a technology audit for depository participants in India, it is essential to have a comprehensive checklist to ensure all necessary aspects are evaluated. The technology audit checklist focuses on assessing the processing system’s integrity, safeguarding client data, and ensuring business continuity in case of any threats to the system. The following are some points that must be covered in the technology audit checklist:

– Review of the IT infrastructure and network security policies to ensure that they comply with the regulatory requirements and industry best practices.

– Examination of the cybersecurity measures such as firewall, antivirus software, and intrusion detection mechanisms deployed to detect and prevent any unauthorized access to the system.

– Evaluation of the backup and disaster recovery mechanism in place to guarantee business continuity in the event of a system failure or other disasters.

– Analysis of the data integrity controls implemented, data completeness, and accuracy to prevent any tampering or loss of client data.

– Review of the security protocols for online and mobile transactions to reduce the risk of fraud, unauthorized access, and other cyber threats.

A well-prepared technology audit checklist helps evaluate the depository participants’ IT systems’ security posture and safeguards the clients’ interests. As quoted in the internal audit requirement, “To assure management that the DPM is managed and maintained in a manner that there is no threat to business continuity, integrity of data processing system is maintained at all times.” Ensuring that these measures are in place serves as an essential foundation in complying with industry standards. [13][14]